Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

How to activate l2l and remote-vpn at the same time

Hi, experts.

I need to set up Lan-to-Lan vpn and remote-vpn for Cisco remote client.

I configured Two crypt map for VPN on Cisco1841( c1841-advipservicesk9-mz.124-15.T6.bin).
One is for Lan-to-Lan VPN, The other is Remote access VPN (for Cisco remote client).

In order to activate two VPNs at the same time ,
I made configuration like following.
--------------------------------------------
crypto map MOON 1 ipsec-isakmp
set peer (Remote WAN IP Address)
set transform-set HOPE
match address 100
crypto map MOON 2 ipsec-isakmp dynamic DREAM

crypto map DREAM client authentication list vpn.client
crypto map DREAM isakmp authorization list vpn
crypto map DREAM client configuration address respond
crypto map DREAM 1 ipsec-isakmp dynamic DREAM
--------------------------------------------

However,  MOON 2 (dynamic DREAM) doesn't work.
When I set "crypto map DREAM " on the interface , it function without problem and can establish vpn with Cisco remote client.

Could you let me know how can I configure to work both VPNs ,MOON 1 and MOON2 (dynamic DREAM) at the same time ?

9 REPLIES

Re: How to activate l2l and remote-vpn at the same time

Hi,

You don't need two crypto maps.

You need a static crypto map and then bind the dynamic crypto map to the static one.

The configuartion will look like this:

crypto map mymap 5 ipsec-isakmp
set peer 192.168.11.2
set transform-set newset
match address VPN_BO1

crypto dynamic-map dynmap 10
set transform-set remote-set

crypto map mymap 65535 ipsec-isakmp dynamic dynmap

In the above example, you have a dynamic crypto map called ''dynmap'' which is mapped to the static crypto map mymap.

Hope it helps.

Federico.


New Member

Re: How to activate l2l and remote-vpn at the same time

Hi,

I revised my configuration like follwing

but it doesn't work .

Could you let me know where is problem?

crypto dynamic-map dynmap 10
set transform-set EARTH
reverse-route
!
!
crypto map MOON 1 ipsec-isakmp
set peer  (Remote WAN IP Address)
set transform-set HOPE
match address 100
crypto map MOON 20 ipsec-isakmp dynamic dynmap
!
crypto map dynmap client authentication list vpn.client
crypto map dynmap isakmp authorization list vpn
crypto map dynmap client configuration address respond

Re: How to activate l2l and remote-vpn at the same time

This lines:

crypto map dynmap client authentication list vpn.client
crypto map dynmap isakmp authorization list vpn
crypto map dynmap client configuration address respond

Should be:

crypto map MOON client authentication list vpn.client
crypto map MOON isakmp authorization list vpn
crypto map MOON client configuration address respond

Federico.

New Member

Re: How to activate l2l and remote-vpn at the same time

Hi,

Thank you for your reply. I changed my configuration based on your imformation,but it failed. Please let me know the reason of problem.

aaa new-model
aaa authentication login OCEAN_VPN_CLIENT local
aaa authorization network OCEAN local
!
ip cef
!
multilink bundle-name authenticated
!
username ****** password 0 ********
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 2
encr aes 256
authentication pre-share
group 2
crypto isakmp key abcde address 1.1.1.1
crypto isakmp invalid-spi-recovery
crypto isakmp client configuration address-pool local dynpool
!
crypto isakmp client configuration group OCEAN
key OCEAN
dns 192.168.2.50
pool dynpool
acl SPLIT
!
crypto ipsec security-association lifetime seconds 28800
!
crypto ipsec transform-set HOPE esp-aes 256 esp-sha-hmac
crypto ipsec transform-set EARTH esp-3des esp-sha-hmac
!
crypto dynamic-map dynmap 1
set transform-set EARTH
reverse-route
!
crypto map MOON local-address FastEthernet0
crypto map MOON 1 ipsec-isakmp
set peer 1.1.1.1
set transform-set HOPE
match address 100
crypto map MOON 2 ipsec-isakmp dynamic dynmap
!
crypto map MOON client authentication list OCEAN_VPN_CLIENT
crypto map MOON isakmp authorization list OCEAN
crypto map MOON client configuration address respond
!
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh version 1
!
interface FastEthernet0/0
ip address 2.2.2.2 255.255.255.252
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map MOON
!
interface FastEthernet0/1
ip address 192.168.2.251 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
ip local pool dynpool 192.168.2.101 192.168.2.120
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 (WAN IP ADDRESS)
ip route 10.0.0.0 255.255.255.0 192.168.2.254
!
!
ip http server
no ip http secure-server
ip nat inside source list MIRACLE interface FastEthernet0/0 overload
!
ip access-list extended MIRACLE
deny   ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
deny   ip 192.168.2.0 0.0.0.255 192.168.2.0 0.0.0.255
permit ip 192.168.2.0 0.0.0.255 any
ip access-list extended SPLIT
permit ip 10.10.10.0 0.0.0.255 any
permit ip 192.168.2.0 0.0.0.255 any
!
logging 192.168.2.100
access-list 5 permit 192.168.2.254
access-list 100 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
snmp-server community heaven RW 5
!

Re: How to activate l2l and remote-vpn at the same time

Please post the output of this commands when connecting the VPN client:

debug cry isa

debug cry ipsec

Federico.

New Member

Re: How to activate l2l and remote-vpn at the same time

Hi,

I confirmed it works with this configuration. I mean l2l and "remote vpn with cisco vpn client" work at the same time. Thank you.
However, after my confirmation, something is wrong with l2l.

Since a couple of minutes ago,l2l vpn became not available.
When l2l vpn was no problem, "show crypto isakmp sa" 's state  was " QM_IDLE"
But,  "state" has became "CONF_XAUTH" since a couple of minutes ago
and in case "CONF_XAUTH" , I can't estables l2l vpn.("remote vpn with cisco vpn client" is working)


Like following, I am not sure the reason "state" is "CONF_XAUTH"
How can I change the status from "CONF_XAUTH" to " QM_IDLE" ?

IPv4 Crypto ISAKMP SA
dst             src             state          conn-id slot status
2.2.2.2        1.1.1.1        CONF_XAUTH        1002    0 ACTIVE

show crypto ipsec sa
no "ACTIVE"

outcom of debug iskmp sa
*Nov  5 13:47:47.203: ISAKMP (0:0): received packet from 1.1.1.1 dport 500 sport 500 Global (N) NEW SA                                  
*Nov  5 13:47:47.203: ISAKMP: Created a peer struct for 1.1.1.1, peer port 500
*Nov  5 13:47:47.207: ISAKMP: New peer created peer = 0x65C532B4 peer_handle = 0x80000002
*Nov  5 13:47:47.207: ISAKMP: Locking peer struct 0x65C532B4, refcount 1 for crypto_isakmp _process_block                                 
*Nov  5 13:47:47.207: ISAKMP:(0):Setting client config settings 64E45C0C
*Nov  5 13:47:47.207: ISAKMP:(0):(Re)Setting client xauth list  and state
*Nov  5 13:47:47.207: ISAKMP/xauth: initializing AAA request
*Nov  5 13:47:47.207: ISAKMP: local port 500, remote port 500
*Nov  5 13:47:47.207: insert sa successfully sa = 65D69D98
*Nov  5 13:47:47.207: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Nov  5 13:47:47.207: ISAKMP:(0):Old State = IKE_READY  New State = IKE_R_MM1

*Nov  5 13:47:47.207: ISAKMP:(0): processing SA payload. message ID = 0
*Nov  5 13:47:47.211: ISAKMP:(0): processing vendor id payload
*Nov  5 13:47:47.211: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
*Nov  5 13:47:47.211: ISAKMP:(0): vendor ID is NAT-T v2
*Nov  5 13:47:47.211: ISAKMP:(0): processing vendor id payload
*Nov  5 13:47:47.211: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch
*Nov  5 13:47:47.211: ISAKMP:(0): vendor ID is NAT-T v3
*Nov  5 13:47:47.211: ISAKMP:(0): processing vendor id payload
*Nov  5 13:47:47.211: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
*Nov  5 13:47:47.211: ISAKMP (0:0): vendor ID is NAT-T RFC 3947
*Nov  5 13:47:47.211: ISAKMP:(0): processing vendor id payload
*Nov  5 13:47:47.211: ISAKMP:(0): vendor ID seems Unity/DPD but major 194 mismatch
*Nov  5 13:47:47.211: ISAKMP:(0):found peer pre-shared key matching 1.1.1.1
*Nov  5 13:47:47.211: ISAKMP:(0): local preshared key found
*Nov  5 13:47:47.211: ISAKMP:(0): Authentication by xauth preshared
*Nov  5 13:47:47.211: ISAKMP:(0):Checking ISAKMP transform 1 against priority 1 policy
*Nov  5 13:47:47.211: ISAKMP:      default group 2
*Nov  5 13:47:47.211: ISAKMP:      encryption AES-CBC
*Nov  5 13:47:47.211: ISAKMP:      keylength of 256
*Nov  5 13:47:47.211: ISAKMP:      hash SHA
*Nov  5 13:47:47.211: ISAKMP:      auth pre-share
*Nov  5 13:47:47.211: ISAKMP:      life type in seconds
*Nov  5 13:47:47.211: ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80
*Nov  5 13:47:47.211: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Nov  5 13:47:47.211: ISAKMP:(0):atts are not acceptable. Next payload is 0
*Nov  5 13:47:47.211: ISAKMP:(0):Checking ISAKMP transform 1 against priority 2 policy
*Nov  5 13:47:47.211: ISAKMP:      default group 2
*Nov  5 13:47:47.211: ISAKMP:      encryption AES-CBC
*Nov  5 13:47:47.211: ISAKMP:      keylength of 256
*Nov  5 13:47:47.211: ISAKMP:      hash SHA
*Nov  5 13:47:47.211: ISAKMP:      auth pre-share
*Nov  5 13:47:47.211: ISAKMP:      life type in seconds
*Nov  5 13:47:47.211: ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80
*Nov  5 13:47:47.211: ISAKMP:(0):atts are acceptable. Next payload is 0
*Nov  5 13:47:47.211: ISAKMP:(0):Acceptable atts:actual life: 0
*Nov  5 13:47:47.211: ISAKMP:(0):Acceptable atts:life: 0
*Nov  5 13:47:47.211: ISAKMP:(0):Fill atts in sa vpi_length:4
*Nov  5 13:47:47.211: ISAKMP:(0):Fill atts in sa life_in_seconds:86400
*Nov  5 13:47:47.215: ISAKMP:(0):Returning Actual lifetime: 86400
*Nov  5 13:47:47.215: ISAKMP:(0)::Started lifetime timer: 86400.

*Nov  5 13:47:47.267: ISAKMP:(0): processing vendor id payload
*Nov  5 13:47:47.267: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
*Nov  5 13:47:47.267: ISAKMP:(0): vendor ID is NAT-T v2
*Nov  5 13:47:47.267: ISAKMP:(0): processing vendor id payload
*Nov  5 13:47:47.267: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch
*Nov  5 13:47:47.267: ISAKMP:(0): vendor ID is NAT-T v3
*Nov  5 13:47:47.267: ISAKMP:(0): processing vendor id payload
*Nov  5 13:47:47.267: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
*Nov  5 13:47:47.271: ISAKMP (0:0): vendor ID is NAT-T RFC 3947
*Nov  5 13:47:47.271: ISAKMP:(0): processing vendor id payload
*Nov  5 13:47:47.271: ISAKMP:(0): vendor ID seems Unity/DPD but major 194 mismatch
*Nov  5 13:47:47.271: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Nov  5 13:47:47.271: ISAKMP:(0):Old State = IKE_R_MM1  New State = IKE_R_MM1

*Nov  5 13:47:47.271: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
*Nov  5 13:47:47.271: ISAKMP:(0): sending packet to 1.1.1.1 my_port 500 peer_port 500 (R)                                    MM_SA_SETUP
*Nov  5 13:47:47.271: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Nov  5 13:47:47.271: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Nov  5 13:47:47.271: ISAKMP:(0):Old State = IKE_R_MM1  New State = IKE_R_MM2

*Nov  5 13:47:47.275: ISAKMP (0:0): received packet from 1.1.1.1 dport 500 sport 500 Glob                                   al (R) MM_SA_SETUP
*Nov  5 13:47:47.275: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Nov  5 13:47:47.275: ISAKMP:(0):Old State = IKE_R_MM2  New State = IKE_R_MM3

*Nov  5 13:47:47.275: ISAKMP:(0): processing KE payload. message ID = 0
*Nov  5 13:47:47.343: ISAKMP:(0): processing NONCE payload. message ID = 0
*Nov  5 13:47:47.343: ISAKMP:(0):found peer pre-shared key matching 1.1.1.1
*Nov  5 13:47:47.347: ISAKMP:(1001): processing vendor id payload
*Nov  5 13:47:47.347: ISAKMP:(1001): vendor ID is Unity
*Nov  5 13:47:47.347: ISAKMP:(1001): processing vendor id payload
*Nov  5 13:47:47.347: ISAKMP:(1001): vendor ID seems Unity/DPD but major 201 mismatch
*Nov  5 13:47:47.347: ISAKMP:(1001): vendor ID is XAUTH
*Nov  5 13:47:47.347: ISAKMP:(1001): processing vendor id payload
*Nov  5 13:47:47.347: ISAKMP:(1001): speaking to another IOS box!
*Nov  5 13:47:47.347: ISAKMP:(1001): processing vendor id payload
*Nov  5 13:47:47.347: ISAKMP:(1001):vendor ID seems Unity/DPD but hash mismatch
*Nov  5 13:47:47.347: ISAKMP:received payload type 20
*Nov  5 13:47:47.347: ISAKMP:received payload type 20
*Nov  5 13:47:47.347: ISAKMP:(1001):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Nov  5 13:47:47.347: ISAKMP:(1001):Old State = IKE_R_MM3  New State = IKE_R_MM3

*Nov  5 13:47:47.347: ISAKMP:(1001): sending packet to 1.1.1.1 my_port 500 peer_port 500                                    (R) MM_KEY_EXCH
*Nov  5 13:47:47.347: ISAKMP:(1001):Sending an IKE IPv4 Packet.
*Nov  5 13:47:47.347: ISAKMP:(1001):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Nov  5 13:47:47.351: ISAKMP:(1001):Old State = IKE_R_MM3  New State = IKE_R_MM4

*Nov  5 13:47:47.355: ISAKMP (0:1001): received packet from 1.1.1.1 dport 500 sport 500 G                                   lobal (R) MM_KEY_EXCH
*Nov  5 13:47:47.355: ISAKMP:(1001):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Nov  5 13:47:47.355: ISAKMP:(1001):Old State = IKE_R_MM4  New State = IKE_R_MM5

*Nov  5 13:47:47.355: ISAKMP:(1001): processing ID payload. message ID = 0
*Nov  5 13:47:47.355: ISAKMP (0:1001): ID
payload
        next-payload : 8
        type         : 1
        address      : 1.1.1.1
        protocol     : 17
        port         : 0
        length       : 12
*Nov  5 13:47:47.355: ISAKMP:(0):: peer matches *none* of the profiles
*Nov  5 13:47:47.355: ISAKMP:(1001): processing HASH payload. message ID = 0
*Nov  5 13:47:47.355: ISAKMP:received payload type 17
*Nov  5 13:47:47.355: ISAKMP:(1001): processing vendor id payload
*Nov  5 13:47:47.355: ISAKMP:(1001): vendor ID is DPD
*Nov  5 13:47:47.355: ISAKMP:(1001):SA authentication status:
        authenticated
*Nov  5 13:47:47.355: ISAKMP:(1001):SA has been authenticated with 1.1.1.1
*Nov  5 13:47:47.355: ISAKMP: Trying to insert a peer 2.2.2.2/1.1.1.1/500/,  and inserted successfully 65C532B4.
*Nov  5 13:47:47.355: ISAKMP:(1001):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Nov  5 13:47:47.355: ISAKMP:(1001):Old State = IKE_R_MM5  New State = IKE_R_MM5

*Nov  5 13:47:47.359: ISAKMP:(1001):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
*Nov  5 13:47:47.359: ISAKMP (0:1001): ID payload
        next-payload : 8
        type         : 1
        address      : 2.2.2.2
        protocol     : 17
        port         : 500
        length       : 12
*Nov  5 13:47:47.359: ISAKMP:(1001):Total payload length: 12
*Nov  5 13:47:47.359: ISAKMP:(1001): sending packet to 1.1.1.1 my_port 500 peer_port 500 (R) MM_KEY_EXCH
*Nov  5 13:47:47.359: ISAKMP:(1001):Sending an IKE IPv4 Packet.
*Nov  5 13:47:47.359: ISAKMP:(1001):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Nov  5 13:47:47.359: ISAKMP:(1001):Old State = IKE_R_MM5  New State = IKE_P1_COMPLETE

*Nov  5 13:47:47.359: ISAKMP:(1001):Need XAUTH
*Nov  5 13:47:47.359: ISAKMP: set new node 1767620883 to CONF_XAUTH
*Nov  5 13:47:47.359: ISAKMP/xauth: request attribute XAUTH_USER_NAME_V2
*Nov  5 13:47:47.359: ISAKMP/xauth: request attribute XAUTH_USER_PASSWORD_V2
*Nov  5 13:47:47.359: ISAKMP:(1001): initiating peer config to 1.1.1.1. ID = 1767620883
*Nov  5 13:47:47.363: ISAKMP:(1001): sending packet to 1.1.1.1 my_port 500 peer_port 500 (R) CONF_XAUTH
*Nov  5 13:47:47.363: ISAKMP:(1001):Sending an IKE IPv4 Packet.
*Nov  5 13:47:47.363: ISAKMP:(1001):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
*Nov  5 13:47:47.363: ISAKMP:(1001):Old State = IKE_P1_COMPLETE  New State = IKE_XAUTH_REQ_SENT

*Nov  5 13:47:47.371: ISAKMP (0:1001): received packet from 1.1.1.1 dport 500 sport 500 Global (R) CONF_XAUTH
*Nov  5 13:47:55.367: ISAKMP (0:1001): received packet from 1.1.1.1 dport 500 sport 500 Global (R) CONF_XAUTH
Router#
*Nov  5 13:48:02.363: ISAKMP:(1001): retransmitting phase 2 CONF_XAUTH    1767620883 ...
*Nov  5 13:48:02.363: ISAKMP (0:1001): incrementing error counter on node, attempt 1 of 5: retransmit phase 2
*Nov  5 13:48:02.363: ISAKMP (0:1001): incrementing error counter on sa, attempt 1 of 5: retransmit phase 2
*Nov  5 13:48:02.363: ISAKMP:(1001): retransmitting phase 2 1767620883 CONF_XAUTH
*Nov  5 13:48:02.363: ISAKMP:(1001): sending packet to 1.1.1.1 my_port 500 peer_port 500 (R) CONF_XAUTH
*Nov  5 13:48:02.363: ISAKMP:(1001):Sending an IKE IPv4 Packet.
*Nov  5 13:48:03.367: ISAKMP (0:1001): received packet from 1.1.1.1 dport 500 sport 500 Global (R) CONF_XAUTH
*Nov  5 13:48:11.371: ISAKMP (0:1001): received packet from 1.1.1.1 dport 500 sport 500 Global (R) CONF_XAUTH
*Nov  5 13:48:17.363: ISAKMP:(1001): retransmitting phase 2 CONF_XAUTH    1767620883 ...
*Nov  5 13:48:17.363: ISAKMP (0:1001): incrementing error counter on node, attempt 2 of 5: retransmit phase 2
*Nov  5 13:48:17.363: ISAKMP (0:1001): incrementing error counter on sa, attempt 2 of 5: retransmit phase 2
*Nov  5 13:48:17.363: ISAKMP:(1001): retransmitting phase 2 1767620883 CONF_XAUTH
*Nov  5 13:48:17.363: ISAKMP:(1001): sending packet to 1.1.1.1 my_port 500 peer_port 500 (R) CONF_XAUTH
*Nov  5 13:48:17.363: ISAKMP:(1001):Sending an IKE IPv4 Packet.
*Nov  5 13:48:19.375: ISAKMP (0:1001): received packet from 1.1.1.1 dport 500 sport 500 Global (R) CONF_XAUTH
*Nov  5 13:48:19.375: ISAKMP: set new node -770956005 to CONF_XAUTH
*Nov  5 13:48:19.375: ISAKMP:(1001): processing HASH payload. message ID = -770956005
*Nov  5 13:48:19.375: ISAKMP:(1001): processing DELETE payload. message ID = -770956005
*Nov  5 13:48:19.375: ISAKMP:(1001):peer does not do paranoid keepalives.

*Nov  5 13:48:19.375: ISAKMP:(1001):deleting node -770956005 error FALSE reason "Informational (in) state 1"
*Nov  5 13:48:19.379: ISAKMP (0:1001): received packet from 1.1.1.1 dport 500 sport 500 Global (R) CONF_XAUTH
*Nov  5 13:48:19.379: ISAKMP: set new node 742216394 to CONF_XAUTH
*Nov  5 13:48:19.379: ISAKMP:(1001): processing HASH payload. message ID = 742216394
*Nov  5 13:48:19.379: ISAKMP:(1001): processing DELETE payload. message ID = 742216394
*Nov  5 13:48:19.379: ISAKMP:(1001):peer does not do paranoid keepalives.

*Nov  5 13:48:19.379: ISAKMP:(1001):peer does not do paranoid keepalives.

*Nov  5 13:48:19.379: ISAKMP:(1001):deleting SA reason "No reason" state (R) CONF_XAUTH    (peer 1.1.1.1)
*Nov  5 13:48:19.379: ISAKMP:(1001):deleting node 742216394 error FALSE reason "Informational (in) state 1"
*Nov  5 13:48:19.379: ISAKMP: set new node 1457933454 to CONF_XAUTH
*Nov  5 13:48:19.383: ISAKMP:(1001): sending packet to 1.1.1.1 my_port 500 peer_port 500 (R) CONF_XAUTH
*Nov  5 13:48:19.383: ISAKMP:(1001):Sending an IKE IPv4 Packet.
*Nov  5 13:48:19.383: ISAKMP:(1001):purging node 1457933454
*Nov  5 13:48:19.383: ISAKMP:(1001):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
*Nov  5 13:48:19.383: ISAKMP:(1001):Old State = IKE_XAUTH_REQ_SENT  New State = IKE_DEST_SA

*Nov  5 13:48:19.383: ISAKMP:(1001):deleting SA reason "No reason" state (R) CONF_XAUTH    (peer 1.1.1.1)
*Nov  5 13:48:19.383: ISAKMP:(0):Can't decrement IKE Call Admission Control stat incoming_active since it's already 0.
*Nov  5 13:48:19.383: ISAKMP: Unlocking peer struct 0x65C532B4 for isadb_mark_sa_deleted(), count 0
*Nov  5 13:48:19.383: ISAKMP: Deleting peer node by peer_reap for 1.1.1.1: 65C532B4
*Nov  5 13:48:19.383: ISAKMP:(1001):deleting node 1767620883 error FALSE reason "IKE deleted"
*Nov  5 13:48:19.383: ISAKMP:(1001):deleting node -770956005 error FALSE reason "IKE deleted"
*Nov  5 13:48:19.383: ISAKMP:(1001):deleting node 742216394 error FALSE reason "IKE deleted"
*Nov  5 13:48:19.383: ISAKMP:(1001):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Nov  5 13:48:19.383: ISAKMP:(1001):Old State = IKE_DEST_SA  New State = IKE_DEST_SA


IPv4 Crypto ISAKMP SA
dst             src             state          conn-id slot status
2.2.2.2        1.1.1.1        CONF_XAUTH        1002    0 ACTIVE

outcom of debug ipsec sa
Router#
*Nov  5 13:50:44.951: IPSEC(key_engine): got a queue event with 1 KMI message(s)
*Nov  5 13:50:44.951: IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP
*Nov  5 13:50:44.955: IPSEC(key_engine): got a queue event with 1 KMI message(s)
*Nov  5 13:50:44.955: IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP
*Nov  5 13:50:44.955: IPSEC(key_engine_delete_sas): delete all SAs shared with peer 1.1.1.1
*Nov  5 13:50:44.959: IPSEC(key_engine): got a queue event with 1 KMI message(s)
Router#

Re: How to activate l2l and remote-vpn at the same time

Hi,

CONF_XAUTH is a state where in which the router is expecting the peer router (or vpn client) to do respond for its XAUTH request.

Since l2l tunnel does not require XAUTH, configure the following and test it again:

crypto isakmp key abcde address 1.1.1.1 no-xauth

Let us know how it goes.

Regards,

Praveen

New Member

Re: How to activate l2l and remote-vpn at the same time

Hi,

Thank you for your help.

Now, Everything is fine. l2l and remote-vpn are functioning at the same time.

I truly appreciated your taking the time.

Re: How to activate l2l and remote-vpn at the same time

Hi,

Glad that it helped. Please mark this Question as answered for the benefit of others.

Also at some point in time if u run into issues with configuring Dynamic L2L and Remote Access VPN, refer to the link below:

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00801dddbb.shtml

Regards,

Praveen

813
Views
0
Helpful
9
Replies
CreatePlease to create content